apidays New York 2023 APIs for Embedded Business Models: Finance, Healthcare, Retail, and Media May 16 & 17, 2023 https://www.apidays.global/new-york/ Android Applications and APIs Hacking Gabrielle Botbol, Offensive Security Advisor at Desjardins ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

1. Gabrielle Botbol
Offensive Security Advisor
Desjardins
Beyond API Regulations for Finance,
Insurance, and Healthcare
May 16 & 17, 2023

2. Who am I?
Gabrielle Botbol
@Gabrielle_BGB
/in/gabriellebotbol
https://csbygb.github.io/

3. What is Android App Pentest?

4. Why Android App Pentest?
July 13th 2022

5. Some figures
Source: https://www.zimperium.com/global-mobile-threat-report/
New Mobile Malware
Samples Detected in the
Wild in 2021
Increase in Exploited,
Zero-Day Mobile
Vulnerabilities
Enterprises Reported
Mobile Devices and Web
Apps Led To A Security
Incident
Phishing Sites
Specifically
Targeted Mobile
Devices
Of Mobile Devices
Encountered Malicious
Applications
Worldwide
10M+
466%
2,034,217+
Mobile Endpoints
Impacted
By Threats
42% 75% 23%

6. What about Android APIs?
Why dev use APIs?
- Manipulate data from remote locations
- Third party services
- Improve performance
- Code Reuse
- Flexible and scalable
- They can also make their own APIs

7. Android App pentest process
We’ll dive into these together
Planning
Reco
-naissance
Static Analysis
Dynamic
Analysis Report
1 2
3
4
5

8. The importance of the lab

9. What you will need
- Jadx
- apktool
- ADB
- Android
Studio
- Burp Suite
Tools:

10. Set up the lab - Installs
Install Jadx
Install adb
Install apktool
https://ibotpeaches.github.io/Apktool/install/
Install Android Studio Download https://developer.android.com/studio
Install Burp Suite
Download and install the version according to your system here
https://portswigger.net/burp/releases/professional-community-2021-12-1?requestededition
=community
For more info on these installs
- JADX https://github.com/skylot/jadx
- ADB https://www.xda-developers.com/install-adb-windows-macos-linux/
sudo apt install default-jdk
sudo apt install jadx
./jadx-gui
sudo apt-get install adb

11. Set up the lab - Create an emulator

12. Set up the lab - Configure burp
How to Bypass certificate
pinning:
https://csbygb.gitbook.io/penti
ps/mobile-app-pentest/androi
d#how-to-bypass-certificate-p
inning
Practical examples of
bypass of cert pinning:
https://csbygb.gitbook.io/penti
ps/writeups/htbtracks/htb-intr
o-to-android-exploitation-trac
k
=> Challenge: Pinned
=> Challenge: Anchored

13. Vuln Apps used for the examples
Get PIVAA here:
https://github.com/HTBridge/pivaa
Purposefully Insecure and Vulnerable Android
Application.
Get InjuredAndroid here:
https://github.com/B3nac/InjuredAndroid
/releases/tag/v1.0.12

14. Static Analysis
What to check:
- AndroidManifest.xml
- Strings.xml
- Enumerate Database
- Search for secrets and sensitive data

15. How to check the code
Jadx ./jadx-gui
apktool apktool d app.apk
Decompiled files with apktool

16. Static Analysis: Find the API endpoints
- Search for keywords “http”, “https”, etc.
- Look for function or classes (requests &
responses)
- Manifest: permissions for network
communications
- Check the JS files or AIDL files

17. Static Analysis: How are APIs called - Example
[STRIPPED]
public class ApiCallTask extends AsyncTask<String, Void, String> {
[STRIPPED]
try {
URL url = new URL(apiUrl);
HttpURLConnection con = (HttpURLConnection) url.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
Log.d(TAG, "API response code: " + responseCode);
BufferedReader in = new BufferedReader(new
InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer responseBuffer = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
responseBuffer.append(inputLine);
}
in.close();
response = responseBuffer.toString();
} catch (IOException e) {
Log.e(TAG, "API call failed", e);
}
return response;
}
[STRIPPED]
new
ApiCallTask().execute("http
s://api.example.com/data");
Class used and
executed in an
instance

18. Static Analysis: Fetch API Javascript - Example
function fetchData() {
var apiUrl = "https://api.example.com/data";
var xhr = new XMLHttpRequest();
xhr.open("GET", apiUrl, true);
xhr.onreadystatechange = function() {
if (xhr.readyState === 4 && xhr.status === 200) {
var data = JSON.parse(xhr.responseText);
displayData(data);
}
};
xhr.send();
}

19. Static Analysis: API vulnerabilities
2022 2019
“This is a private key! WTF, man!” - Alissa Knight - 2019
How I hacked 30 mobile banking apps & the future of API Security,
Alissa Knight
Thousands of Android apps leak hard-coded secrets, research
shows - Cybernews

20. Example with InjuredAndroid - Strings
<string
name="google_api_key">AIzaSyCUImEIOSvqAswLqFak75xhskkB6illd7A</string>
<string
name="google_app_id">1:430943006316:android:d97db57e11e42a1a037249</str
ing>
<string
name="google_crash_reporting_api_key">AIzaSyCUImEIOSvqAswLqFak75xhskkB6
illd7A</string>
<string
name="google_storage_bucket">injuredandroid.appspot.com</string>
/res/values/strings.xml

21. General Tips for static analysis

22. Grep it!
/uploads directory
apktool d app.apk
grep -r “unsafe secret”
More tips on grep here:
https://csbygb.gitbook.io/pentips/digital-skills/us
eful-linux#grep

23. Tools for static analysis
- Firebase Enum Github:
https://github.com/Sambal0x/firebaseEnum
- FireBaseScanner:
https://github.com/shivsahni/FireBaseScanner
- Cloud Enum https://github.com/initstring/cloud_enum

24. Dynamic Analysis
What to check:
- Tapjacking
- Can you capture screens with sensitive data
- OWASP Top 10
- Analyse traffic with burp to find odd things

25. Dynamic Analysis: Find API endpoint
/api
/api/v1
/v1
/docs
/rest
/v1
/v2
/v3
/swagger
/swagger.json
/doc/graphql
Use a wordlist and FUZZ:
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/
api/api-endpoints.txt

26. Example with PIVAA - BG capture

27. Automatic tools
- MobSF
https://github.com/MobSF/Mobile-Security-Framework-Mo
bSF
- Qark https://github.com/linkedin/qark

28. General tips: Common API vulnerabilities to look for
- API1:2019 Broken Object Level Authorization
- API3: 2019 Excessive Data Exposure
- API7:2019 Security Misconfiguration
- API9:2019 Improper Assets Management
Find more here:
https://github.com/OWASP/API-Security/tree/master/2019/en/src
More tips on API pentest here: https://csbygb.gitbook.io/pentips/web-pentesting/api

29. General tips: Use checklists
MindAPI - David Sopas: https://dsopas.github.io/MindAPI/play/
Official OWASP MAS Checklist: https://mas.owasp.org/MAS_checklist/

30. How to report

31. How to report - Example
Broken Object Access Control
Severity: Medium
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Description
A BOLA (Broken Object Level Authorization) vulnerability is a security issue that allows an
attacker to access or manipulate sensitive data or functionality in an application by
modifying the object ID in the API requests. This vulnerability arises when the application
lacks proper authorization checks and fails to enforce access control restrictions on user
input.
In our context, we identified a BOLA vulnerability in the API of the application. This
vulnerability could allow an attacker to bypass the access control measures and gain
unauthorized access to sensitive data or functionality in the application.

32. How to report - Example
Broken Object Access Control
Remediation
We recommend that the development team implement proper authorization checks
in the API to prevent this vulnerability from being exploited. Additionally, we
suggest conducting a thorough review of the application's access control
mechanisms to identify and address any other potential BOLA vulnerabilities.
Resource
https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa1-broken-obje
ct-level-authorization.md

33. Get these slides and all the resources
https://csbygb.gitbook.io/
Android tips and BIG list of FREE
resources:
https://csbygb.gitbook.io/pentips/mobile-
app-pentest/android

34. Android Application Pentest Article - Pentest Magazine
- My article about Android Application Pentest
https://pentestmag.com/product/pentest-play-in-yo
ur-own-pentest-lab-in-2022/

35. Quiz to go
Check out the quiz about this
presentation here:
https://forms.gle/GPymC3RrsmCRLxY
C6

36. Special shout out
https://www.apisecuniversity.com/

37. Thanks